Maryland is latest state to propose regulating use of biometrics
In recent years, Illinois’ costly and strict Biometric Information Privacy Act (“BIPA”), 740 ILCS § 14/1 et seq., has been used by the plaintiffs’ class action bar in Illinois and around the country to extract significant monetary settlements from unwary companies, causing substantial disruption to their businesses. Maryland legislators recently introduced a biometric information privacy law that echoes BIPA. The proposed law, titled “Commercial Law – Consumer Protection – Biometric Identifiers and Biometric Information Privacy,” would become only the second in the country to provide a private right of action to plaintiffs and allow successful litigants to recover attorneys’ fees and litigation costs.
If enacted, Maryland’s biometric law would impose sweeping regulations on private businesses. The draft legislation broadly defines “biometric identifiers.” Under Maryland’s proposed version of the law, biometric identifiers are defined to include any data based on “an individual’s biological characteristics.” Those characteristics include fingerprints, voiceprints, genetic prints, retina or iris images, “or any other unique biological characteristic.” Like BIPA, Maryland’s proposed statute would expansively define “biometric information” to mean “any information . . . based on an individual’s biometric identifier,” but exclude “information derived from an item or a procedure excluded under the definition of a biometric identifier,” such as photographs and information captured from patients in health care settings.
Maryland’s law would require private businesses that collect biometric identifiers to develop a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Unlike BIPA, however, the policy need not be made available to the public if the policy “applies only to employees of the private entity” and “is used solely for internal company operations.” Maryland’s biometric law also would require businesses to obtain a written release from affected individuals and prohibit the disclosure of biometrics without consent.
Critically, Maryland’s potential biometric law carries with it the same strict penalties as BIPA. Plaintiffs are granted a private right of action and may recover up to $1,000 for each negligent violation, up to $5,000 for each intentional or reckless violation, or actual damages, whichever is greater. Further, plaintiffs’ attorneys can seek reasonable fees and litigation costs for prosecuting these claims.
A national trend
Maryland is not alone in proposing new legislation to regulate the collection and use of biometrics. On Jan. 6, 2021, New York legislators introduced a similar bill, titled the “Biometric Privacy Act.” New York’s Biometric Privacy Act also echoes BIPA and provides for a private right of action for aggrieved individuals along with statutory damages and attorneys’ fees and costs. And still more states have seen the introduction of biometric privacy laws of varying kinds. Both Texas and Washington already have laws regulating the collection and use of biometric information – though without the private right of action found in BIPA. Further, California’s Consumer Privacy Act went into effect on Jan. 1, 2020 and imposes obligations on businesses that collect and process personal information for California consumers. And within the last year, legislators in Utah, Vermont, Oklahoma, Maine, and Virginia have also introduced laws related to biometrics and data privacy.
This national trend is not limited to the states: on Aug. 4, 2020, Senators Jeff Merkley and Bernie Sanders introduced the National Biometric Information Privacy Act, a data privacy law modeled after BIPA. The National Biometric Information Privacy Act contains similar provisions to BIPA, proposing to regulate the use, retention, and disclosure of biometric identifiers by businesses and provide a private right of action for plaintiffs. And on Jan. 1, 2021, a city ordinance banning the use of facial recognition technology by private business took effect in Portland, Oregon. The Portland ordinance contains a private right of action allowing “[a]ny person injured by a material violation” to sue for actual damages or “$1,000 per day for each day of violation, whichever is greater,” and recover attorneys’ fees in certain situations.
Regulation on the horizon
BIPA – and increasingly, laws that copy it – present significant risks to businesses around the country. As many unsuspecting companies nationwide have found, doing business in cities and states without sufficient awareness of the legal landscape and appropriate preparation is often costly.
We will continue to monitor Maryland’s bill and other legal developments around the country regulating the collection and use of biometric information. For additional information or questions regarding these laws and the potential impact on your business, please contact the attorneys below.